Heartbleed, Phishing Scams and Password Resets

Everyone is in a frenzy due to the zero-day vulnerability (CVE-2014-0160) affecting OpenSSL nicknamed ‘Heartbleed’, and rightly so given the extent of the vulnerability and the relative ease of exploitation. In brief, attackers who exploit the vulnerability can monitor all data passed between a service and client or decrypt historical encrypted data that was previously collected.

In addition OpenSSL runs atop two of the most widely used Web servers, Apache and nginx, as well as email servers (SMTP, POP and IMAP protocols), chat services (XMPP protocol), virtual private networks (SSL VPNs) and other software that use the OpenSSL code library.

OK – this is big. But now the question of the day is what are we, the average netizens, supposed to do next?

So do we all need to change our passwords immediately? According to Graham Cluley, that’s a bad idea, and you should only change your password after a company has:

Checked to see if it is vulnerable

Patched its systems

Grabbed a new SSL certificate (having revoked their previous one)

Told you it is fixed

The problem is, as Cluley explains, there are plenty of instances where people are being advised to change all their passwords everywhere now instead of waiting for the queue that it’s advisable to do so. Expect that companies affected will make the necessary fixes and notify you that it’s time to reset your login credentials, whcih leads us to the next issue: Phishing.

Thirtyseven4, LLC, a provider of Windows, Mac and Android antivirus solutions, issued a warning for Internet users that there may be an influx of Phishing emails designed to trick people into divulging their usernames and password or clicking on malicious links with faux notifications designed to look as if they were issued by legitimate sources.

“Given the severity and broad scope of the Heartbleed bug, in combination with the influx of email warnings by corporations suggesting immediate password resets as well as the panic-postings that are currently flooding the Internet: we can expect virus writers and hackers to capitalize on this golden ticket opportunity,” said Thirtyseven4’s Steven Sundermeier.

“Users are going to be expecting and waiting on these emails from their service providers and cybercriminals know that. Users should reset passwords as recommended, but they must guard against panic that causes safe computing common sense to fly out the window,” concluded Sundermeier.

It’s always a good idea to use caution regarding emailed notifications that contain links or attachments, or that ask for sensitive information like login credentials – but that is especially important today given the level of hysteria over Heartbleed. Be careful, use your head.

Mashable has provided a good resource – they reached out to companies listed here that could potentially be affected by Heartbleed, summarized the responses from “some of the most popular social, email, banking and commerce sites on the web.”

“Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites. Even that is no guarantee that your information wasn’t already compromised, but there’s also no indication that hackers knew about the exploit before this week,” the article states.

“The companies that are advising customers to change their passwords are doing so as a precautionary measure. Although changing your password regularly is always good practice, if a site or service hasn’t yet patched the problem, your information will still be vulnerable.”